By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

When it comes to virtual desktop security, those words ring especially true.

The point is this: The security tactic you employ depends on what you're securing and who you're protecting it from. Thieves come through the back door. Your teenage daughter's boyfriends come to the front. You want thieves to run as soon as they hear your Rottweiler, but you want the boyfriend to walk up and see your shotgun by the door as you greet him with a firm handshake.

Similarly, virtual and physical desktops require very different security techniques. With virtual desktops, you are protecting a different type of asset and potentially a different audience -- as well as dealing with new risks. Some of the standard desktop security practices used in the physical world might apply, but others are outdated when it comes to VDI security.

Corralling viruses

Getting rid of a virus on a virtual desktop is like being able to eliminate a rat infestation from an entire city without harming any residents or their homes. By using golden images, you preserve the healthy state of the desktop, which can be easily restored. Simply shut down machines for emergency maintenance and force all logoffs in sections, then bring them up in isolated networks or boot users into an image instead. Make sure to include a stricter local firewall policy until the virus is wiped from the network.

More on VDI security

Many administrators disable the Windows Firewall because it can be a nuisance for systems management, but it comes in handy for virtual desktop security. Build your golden image normally with the Windows Firewall disabled, but then build a version with the firewall enabled -- with a strict policy allowing only outbound connections. If a virus occurs, force the firewall-enabled image to be the base image for all users. They will then be able to connect to their resources, but each system will now be isolated.

As for detecting viruses, VDI security admins should change their tactics as well. Imagine 2,000 (or even 200) virtual machines all scanning their drives at the same time. The storage I/O load could bring the entire environment to a screeching halt.

Here are some new virtual desktop security tactics to consider:

Use randomized downloads and scan windows to limit the number of systems running updates and doing a full scan.

Use your antivirus product's ability to pre-scan, approve and ignore files from a gold image or clone. Instead, only scan new files that were created and modified. Each of the major vendors now has specific procedures for golden images in VDI.

Controlling Internet usage

As environments shift to virtual desktops, system and user policies become more prevalent. IT organizations should become familiar with policy-based controls such as Group Policy Objects, Symantec Endpoint Protection, etc. These tactics improve VDI security by centralizing control of the user environment.

Here are some areas you can easily control using virtual desktop security policies:

Age of temporary files stored by browsers

Types of files that can be downloaded

Where to download the files. This allows you to control the location for better visibility.

Controlling scripts that can be executed

Sites that are granted higher privileges

Security practices of the past may not necessarily apply to VDI security. Here is a more complete breakdown of the differences between physical and virtual desktop security:

3 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy